-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Alert SA06-117A
Scripts in eBay Postings May Enable Phishing Attacks
Original release date: April 27, 2006
Last revised: --
Source: US-CERT
Systems Affected
The eBay web site may contain pages that affect various web
browsers.
Overview
A vulnerability in the eBay web site may allow an attacker to steal
personal information from eBay customers.
Solution
Verify the legitimacy of eBay web pages
Attackers may use the vulnerability to perform a phishing attack.
Make sure that the URL is accurate, and check the web site
certificate to make sure that you are visiting an authentic eBay
web page.
Description
eBay allows users to incorporate a type of code, also known as
scripting, into the auction descriptions on its web site. An
attacker can use this code to modify pages on eBay's web site or
redirect you to a malicious web page. These may appear to be
legitimate eBay web pages that request personal information. Using
these techniques, an attacker may be able to collect your
passwords, credit card numbers, or other personal information.
Please see US-CERT Vulnerability note VU#808921 for details and
additional workarounds.
References
* US-CERT Vulnerability Note VU#808921 -
<http://www.kb.cert.org/vuls/id/808921>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
* Avoiding Social Engineering and Phishing Attacks -
<http://www.us-cert.gov/cas/tips/ST04-014.html>
* Understanding Web Site Certificates -
<http://www.us-cert.gov/cas/tips/ST05-010.html>
* eBay's Spoof Email Tutorial -
<http://pages.ebay.com/education/spooftutorial/spoof_3.html>
* eBay Security Center - <http://pages.ebay.com/securitycenter>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/alerts/SA06-117A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@xxxxxxxx> with "SA06-117A Feedback VU#808921" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
Apr 27, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRFEZUn0pj593lg50AQJvVAgAxq4gihWKulDYYc6cHGJ3tAoJHnYvZ7U/
8odvuFMee2XZl7ojIuHGSCB6H/U/T3VQEq28eaIHe24Ql4VOxiKeRiEPk9JRpFSX
Ei+JFC9yly6G/N537Ko3Ydo7YwN/JZypyH55TBg0znEPSbtwToG/md1oxFOyahBJ
JQtE0EZyLYN7uqlGUPD1svkzwdUOc8ltu4/Ivt4pJXTCcPPW8lGlKrS+UBwcd0Wp
Dii+ctv0sBci5PWoWaU5Cd2DezptCTKne/R+KG5xxCeQVHgvKQd+j7szKycfc/o5
kwoVAv0IE1U9FgdhPZJzONrcCFAdK+hFefZgC4qGqWYg14vEDnK8EA==
=Y89H
-----END PGP SIGNATURE-----